Microsoft Releases Emergency Safety Updates
Microsoft has released emergency safety updates for Edge, Teams, and Skype to address two zero-day vulnerabilities in open libraries used by these products.
- CVE-2023-4863 (CVSS: 8.8) is an overflow buffer vulnerability in the Libwebp library, which can lead to failures or arbitrary code execution.
- CVE-2023-5217 (CVSS: 8.8) is an overflow buffer vulnerability in the Google LibVPX video codes, which can result in application crashes or arbitrary code execution. This vulnerability has been exploited to install spy software.
The LibwebP library is widely used for encoding and decoding IBP format in various projects, including popular web browsers like Safari, Mozilla Firefox, Microsoft Edge, Opera, and built-in Android web browsers. It is also used in applications such as 1PASSWORD and Signal.
LIBVPX is used for encoding and decoding videos in VP8 and VP9 formats, commonly found in desktop video players and online streaming services like Netflix, YouTube, and Amazon Prime Video.
The vulnerabilities only affect a limited number of Microsoft products. Microsoft has patched the vulnerabilities in Microsoft Edge, Microsoft Teams, Skype, and the Webp image extension. Microsoft Store will automatically install updates for all affected users of Webp images unless automatic updates are disabled.
The vulnerabilities were discovered by Apple’s Security Engineering and Architecture (SEAR), Google’s Threat Analysis Group (Tag), and Citizen Lab. Both vulnerabilities were confirmed to have been exploited in real-world conditions, although specific details about the attacks have not been disclosed. Google has stated that access to error details and links may be restricted until a majority of users have received the necessary updates.
It is worth noting that CVE-2023-4863 was originally addressed by Google in late September. Initially, it was classified as a Chrome vulnerability, but was later assigned a separate identifier (CVE-2023-5129) and deemed a critical